Privacy Policy

Last updated: April 2026

1. Data controller

Atlas Life Sciences GmbH

Aroser Allee 68, 13407 Berlin

Email: clinical@atlasbiolabs.com (privacy matters)

2. Definitions

This policy uses the terms defined in Article 4 GDPR (including 'personal data', 'processing', 'controller', 'processor', 'consent', 'data subject'). Where this policy refers to 'we', 'us', or 'our', it refers to Atlas Life Sciences GmbH as the data controller.

3. Data processing on website visits

When you visit protocol.atlasbiolabs.com, our servers automatically record standard access data: IP address, browser type and version, operating system, referrer URL, and the time of access.

Log files are stored for 7 days and then automatically deleted.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in secure operation of the website.

4. Cookies

We use essential cookies required for session handling and checkout. Where applicable, we may use analytics cookies (e.g. Vercel Analytics) only with your prior consent.

Legal basis: Art. 6(1)(f) GDPR for essential cookies; Art. 6(1)(a) GDPR (consent) for analytics or non-essential cookies.

5. Customer data (order processing)

When you place an order, we process: name, email, shipping address, date of birth, and payment information (payment information is processed by Stripe and not stored on our systems).

Purposes: order fulfillment, customer communication, legal compliance.

Legal basis: Art. 6(1)(b) GDPR — contract performance.

Retention: customer data 3 years after the last transaction; tax-relevant order data 10 years per HGB/AO.

6. Genetic and biological data (special category per Art. 9 GDPR)

Atlas Protocol processes genetic data (Atlas Baseline) and biological methylation data (Atlas Trace). This constitutes special category personal data under Art. 9 GDPR.

Legal basis: Art. 9(2)(a) GDPR — explicit consent of the data subject (collected at checkout).

Storage: physical samples and derived genetic/epigenetic data are stored at the Atlas Biolabs laboratory facility, Aroser Allee 68, 13407 Berlin, Germany.

Access is restricted to authorized laboratory and clinical staff only. We do not sell genetic data to third parties. We do not share genetic data with insurance companies or employers; such sharing is prohibited under §4 GenDG and general privacy principles.

Retention: genetic and biological data are retained indefinitely unless the customer requests deletion. This enables longitudinal re-analysis as scientific understanding advances. Customers may request permanent deletion at any time via clinical@atlasbiolabs.com.

Derived reports (structured findings summaries) remain in the customer's service record for the retention period of order data (10 years tax-relevant portion).

Right to withdraw consent: customers may withdraw consent at any time, triggering destruction of stored samples and erasure of raw genetic data. Derived reports may be retained for legal compliance purposes.

7. Data processors and recipients

We engage the following processors and recipients to deliver the service:

  • Stripe Payments Europe Ltd (payment processing, Ireland) — standard GDPR-compliant DPA in place.
  • Vercel Inc. (hosting, US) — Standard Contractual Clauses and EU-U.S. Data Privacy Framework.
  • Atlas Biolabs laboratory (Atlas Life Sciences GmbH, Berlin) — internal, same legal entity.
  • Life & Brain GmbH (Bonn, Germany) — methylation array analysis partner for Atlas Trace.
  • Shipping providers (DHL / DPD) for kit delivery.

All processors are bound by data processing agreements per Art. 28 GDPR.

8. International data transfers

Where data is processed outside the EU (primarily Vercel in the United States), the transfer is safeguarded via Standard Contractual Clauses and the EU-U.S. Data Privacy Framework where applicable.

9. Data subject rights (Art. 15-22 GDPR)

You have the following rights regarding your personal data:

  • Right to access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right to withdraw consent (Art. 7(3))

Contact: clinical@atlasbiolabs.com

10. Right to lodge a complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority.

Supervisory authority: Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), Friedrichstraße 219, 10969 Berlin. https://www.datenschutz-berlin.de

11. Contact for privacy inquiries

For all privacy-related inquiries, please contact: clinical@atlasbiolabs.com.